in order to protect network and regulate network traffic, state-of-arts network devices enforce network policy on network traffic. A network policy describes how a network device shall operate, and apply restrictions to different types of network traffic, sources, destinations and traffic content. A network policy can be created by using an Internet Protocol address or/and a domain name. The two communication methods to enforce network policies are overriding routing table used in routers and content examination by proxy server.
A router uses a routing table to determine how to forward network traffic. The muter implements an overriding routing table to override the routes established or recorded in the routing table in order to execute network policies. At a router, network policies are based on Internet Protocol (IP) address, not domain name. A router examines the IP address of a packet to check whether the IP address has been specified in the overriding routing table. If so, the packet will be routed according to the network policies stated in the overriding routing table. If not, the packet will be routed according to the routing table. The benefit of using overriding routing table is its simplicity to enforce network policies. The disadvantage of using overriding routing table is its inflexibility to use domain name to enforce network policies.
For the state-of-art routers, if a network administrator tries to have a routing policy using a domain name, the network administrator has to look up the corresponding IP address of the domain name first, and then creates a routing policy at the state-of-art router using the IP address. The possible combination of subdomain and host name is almost unlimited. This method is labour intensive and subject to human error.
A proxy server may examine contents passing through it. If the proxy server finds the contents satisfying the conditions of a routing policy after examining the contents, the proxy server then takes corresponding network traffic routing actions against the contents and network traffic, such as filtering, blocking and/or forwarding. Some common methods used for content examination include: Uniform Resource Locator (URL) or Domain Name System (DNS) blacklists, URL regex filtering. Multipurpose Internet Mail Extensions (MIME) filtering, or content keyword filtering. Some proxy servers designed for handling web traffic have been known to employ content analysis techniques to look for traits commonly used by certain types of content providers. The administrator may supply many combinations of URL, domain names, IP addresses, keywords and etc. to create network traffic routing policies. The benefits for using proxy server include the flexibility to use domain name to create network traffic routing policies. One of the disadvantages of using proxy server is the network traffic throughput limitation as proxy server in general uses more processing power and storage. Another disadvantage of using proxy server is that proxy server is application specific. For some application like Security Sockets Layer, a totally transparent proxy server is difficult to exist and may be vulnerable to man-in-the-middle attack.
Therefore it is desirable to Allow router to use domain name based network policy for routing. However, allowing such domain name based network policy in a router by implementing how proxy server examining contents increases the complexity and computing resource requirements of a router.